Re-sending activation links causes issues


(Felix Freiberger) #1

I just recently received a question from one of my users not being able to activate has account, and I have been able to reproduce it on a new test install on version Discourse 1.4.0.beta9 - https://github.com/discourse/discourse version 4c2df814de4671880d532ae6514c470d831b7009:

  1. Set email token valid hours to something short, like 1.
  2. Register a new account.
  3. Ignore the activation mail for 1 hour.
  4. Try using the link, get Sorry, this account confirmation link is no longer valid. Perhaps your account is already active?.
  5. Try to log in, get You can't log in yet. We previously sent an activation email to you at test2@fefrei.de. Please follow the instructions in that email to activate your account. Click here to send the activation email again.
  6. Click to resend the activation mail.
  7. Open the new activation mail, and click the (different) link, click Activate, get another Sorry, this account confirmation link is no longer valid. Perhaps your account is already active?.
  8. Click the Discourse logo to navigate to the main page. Surprise: You’re logged in!

So it seems that step 7 is actually working (as it should), but the user is still shown the error message.


(Jeff Atwood) #2

Can you verify this @techapj? Also, does it work if you set it to 2 or 3 hours @fefrei? Why does the setting need to be so aggressively low?


(Felix Freiberger) #3

I have a user report for my site, which was set to 6 hours. I set it to 1 in my test install because my patience is limited to 61 minutes and I didn’t want to fiddle with the clock :wink:


(Felix Freiberger) #4

Hooray – I’ve been able to reproduce exactly what was explained to me on my production instance. The steps and symptoms differ a bit.

I have email token valid hours and purge unactivated users grace period days set to their default values. Then, I did the following steps:

  1. Sign in with SSO to a non-existing account. Since our SSO provider does not validate E-Mails, Discourse sends out an activation mail:
  2. Wait between 24 hours and 7 days, so the link expires but the account survives.
  3. Click the link, click the button to activate the account. Unsurprisingly, this tells me the link is invalid:
  4. Re-try to login. Once again, Discourse tells me it sent out an activation mail. I did not get the screen telling me that I can re-send the mail – it looked just as in step 1! Discourse sends out a new activation mail:
  5. Try to activate the account, which once again fails.

This failure is no surprise: Discourse sent out the old, expired token again! Look at my screenshots above, which include the date and time (both were captured just now, so no date means 21.08.2015).

While I’m not entirely sure why the behavior differs, the core difference seems to be SSO (my test install did not use SSO!). Both versions seem like a bug to me, with this one being more severe.


(Arpit Jalan) #5

Fixed the original issue you reported via:

https://github.com/discourse/discourse/commit/91519fdfe7f8665999eac290e872879703fcaca8

The second SSO login issue you reported is unrelated to the original issue, and I can repro it on my dev instance. I have a fix for it, but need to test it thoroughly.


(Arpit Jalan) #6

Fixed via:

https://github.com/discourse/discourse/commit/10b8e43a92b38e3e36a90990ffa94e6f4057ac93

Thanks for detailed repro steps @fefrei! :gift_heart:


(Felix Freiberger) #7

Thanks, @techAPJ, twice! And sorry for mixing up both bugs: I discovered the first one while trying to find a repro for the second :wink:


(Arpit Jalan) #8